PHP not reflecting desired HTML - php

I'm making a website where a user should be able to use HTML and CSS in their profiles but I came across one problem.
<?php
$profile = "<h1>THIS IS A TEST</h1>";
echo htmlentities($profile);
?>
That's my code, but it only show this in the profile:
<h1>THIS IS A TEST&amp</h1>
I don't know what is happening, nor do I know if this only happens to me.
How do I make it show only the h1 content?

Function htmlentities is showing the representation of html characters like tags etc., and is being used especially to avoid parsing as html. So if you mean to echo html so that the browser parses it as html, the last thing you want is to use this function! Just echo it out directly, no need to use htmlentities or htmlspecialchars!

You just have to use echo $profile;, that's all. Check this and don't forget to check Display as HTML as browsers display PHP echoed text as HTML unless they're told to display it differently.

Related

echo+htmlentities is not working propely?

I have this code:
$title = 'Alguém';
<h1><?php echo htmlentities($title, \ENT_QUOTES, 'UTF-8', false); ?></h1>
PS: this is just a example, on my current code i get the value of $title from my database.
the result that can be seen on the web page:
<h1>Alguém</h1>
And the result that can be seen on the view-source::
<h1>Alguém</h1>
Why this happens? Am i using htmlentities correctly?
Your code is working correctly. htmlentities converts html entities into a defined series of characters that your browser can interpret as the entity you want to display in your browser. This is done to prevent malicious code from being run in your script.
As an example:
Without html entities being used this line of code will actually work. Your browser sees the line of code as:
<script>alert("I just hacked your html")</script>
When you sanitize that same line of code with htmlentities() it replaces all of the entities with the defined series of character representations that the browser interprets as the entity. So this is what gets outputted to the browser.
<script>alert("I just hacked your html")<
This script will not get ran as javascript in your browser.
Here is a link that you can read that will give you some additional information. There is plenty of information on google that outlines this.
html entities
Here is a list of html entities:
Entity list
Hope that helps.
echo htmlentities($title, ENT_QUOTES);

use a href inside html entities

I use html entities to secure my site.
And my client want to add link in his post using the CMS.
how to make exception in html entities?
my code example:
<p><?php echo h($row['message']) ?></p>
//h is my function for htmlentities
My code display this message:
"You can click this link Link"
//And I dont know my data insert '\'
//It become Link
If my question is not clear please ask.
Really appreciate.
I believe what you want to do is pass into the DB with htmlentities() so it doesn't mess with your DB. To retrieve them you would use html_entity_decode(). The html_entity_decode() converts all strings with HTML entities back to there original string.
http://php.net/manual/en/function.html-entity-decode.php
Hopefully this answers your question.
Edit:
Raw data retrieved: http://www.example.com
Through htmlentities it spits out the HTML entities, which the browser cannot interpret when attempting to find that page. The use of htmlentities() (please if I'm wrong correct me) is to encode user input before passing it anywhere else.
User input: <script>hacks</script>
Passed though htmlentities:
&ltscript&gthacks&lt (whatever backslash is)script&gt
(This way it can't mess with anything in your database, better example is the use of PHP/MySQL but I'm not well versed to give that exact example at the moment.)
However this would expose your site when decoding it as well and other precautions would have to be taken.
Try this :
<?php
$link = h(stripslashes($row['message']));
?>
You can click this link <a href='<?php echo $link; ?>'>Link</a>

How to avoid htmlentities() function in ckeditor?

Hi i am using ckeditor plugin to beautify the text given by the user.It was working properly but now i try to increase security to my website so that i used htmlentities() function in all places where echo is used.
The problem is while displaying a text output from ckeditor are shown as html tags in my website because of the effect of htmlentities() i used.This is the output i am getting in my website,
<p><strong><span style="color:#008080">Superhero</span></strong></p>
So the look of website is damaged.I want to show the ckeditor text as it is.But htmlentities()
must have to be used.
I searched stack overflow and found many issues related to this.So i used the following solution in my ckeditor/config.js page as below,
config.entities = false;
config.basicEntities = false;
config.entities_greek = false;
config.entities_latin = false;
But its not working in my code.
Thanks in advance!
Well, as far as I am aware there is no in-built way in php to distinguish between malicious injected script tags and normal html tags.
This leads to problem where you want to block malicious script, but not valid html tags.
When I have to accept user input and display again which may contain html tags, instead of using htmlentities I use htmlpurifier. There is another one I am aware of is safeHtml.
However, there might be better solutions then this and I am also interested in knowing as well. Unfortunately haven't came across one.

PHP remove <body><html>...</html></body> from echo output

I have a php script that does a query in my database and returns a string ( like "2" ). I print it using
print strip_tags('2');
but in the output of my browser I get :
<body><html>2</html></body>
Is there any way to prevent the tags from beiing printed? Is it maybe that the browser auto adds them?
For all those answering about strip_tags (" 2 ");
THIS IS WRONG:
I want a siple version.php
with
echo '2';
and nothing else. It prints the tags too. I don't have the tags and then try to print.
More explanation to those who try to get easy rep
my code is:
$str = '2';
print strip_tags($str);
and it prints
<html><head></head><body>2</body></html>
It is not possible. The browser creates these elements automatically, without it there would not be any text flow(means nothing of this could be made visible). You can just use this variable for any script, it won't include the HTML tags. This is only made by the browser to make it visible for you.
You can use
header("Content-Type: text/plain");
at the beginning of your script, in order to tell the browsers you're only gonna send plain text, not html. This will prevent your browser from automatically adding those html tags.
Then, check what you print (or echo). Here, the body tag should be in html tag.

PHP echo-ing a PHP code inside an echo

I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>

Categories